Disabling Azure Disk Encryption - removing the Unified Data Encryption flag

Craig 41 Reputation points Microsoft Employee

The docs say it is not possible to switch from Azure Disk Encryption to Encryption at Host without creating a new VM and new disks.

There appears to be a way to remove the Unified Data Encryption flag on the disks that were formerly encrypted by Azure Disk Encryption.

Question: what are the consequences of removing the UDE? The goal is to move from ADE to Encryption at Host.

## Disable the encryption setting for the disk
Update-AzDisk -ResourceGroupName TheDiskResourceGroup -DiskName SomeEncryptedDiskName -DiskUpdate (
 New-AzDiskUpdateConfig -EncryptionSettingsEnabled $false
)
0 comments No comments
Sign in to comment

Answer accepted by question author

Manish Deshpande 7,010 Reputation points Microsoft External Staff Moderator

Hello @Anonymous

Removing the Unified Data Encryption (UDE) flag from disks encrypted with Azure Disk Encryption (ADE) is not supported for migration to Encryption at Host. This does not make the disk compatible and may cause unsupported setups and risks.

Microsoft does not support an in‑place conversion from Azure Disk Encryption (ADE) to Encryption at Host. This applies even if ADE is disabled and the disk appears decrypted.
👁 User's image

https://docs.azure.cn/en-us/virtual-machines/disk-encryption-migrate?tabs=CLI%2CCLI2%2CCLI3%2CCLI4%2CCLI5%2CCLI-cleanup#migration-limitations-and-considerations

Disks that were ever encrypted with ADE retain UDE metadata, and:

  • This metadata persists even after decryption
  • Snapshots and disk copies retain the UDE flag
  • Disks with UDE cannot be used to enable Encryption at Host

This behavior is by design.

Consequences of Manually Removing the UDE Flag :
Removing the UDE flag using unsupported methods (for example, directly updating disk encryption settings) can result in:

  • A configuration that is not supported by Microsoft
  • Failure when enabling Encryption at Host
  • Operational risk during VM restarts, disk attachment, or future platform updates
  • Potential issues during support escalation, as the state is outside documented scenarios

For these reasons, Microsoft strongly recommends not attempting to remove UDE to bypass migration requirements.

Possible Action :

The only supported method to move from ADE to Encryption at Host is to create new disks and a new VM with Encryption at Host enabled.

High‑level supported approach:

  1. Back up all data from the existing VM.
  2. Create new managed disks that do not carry ADE/UDE metadata (using the upload method or fresh disk creation).
  3. Deploy a new VM with Encryption at Host enabled.
  4. Attach the new disks and restore application/data as required.
  5. Decommission the old ADE‑encrypted VM and disks once validation is complete.

This ensures the VM is fully compliant, supported, and future‑proof.

Encryption at Host provides:

  • End‑to‑end encryption for OS, data, temp disks, and disk caches
  • No dependency on in‑guest encryption extensions
  • Lower operational complexity compared to ADE

Microsoft also recommends Encryption at Host for all new VM deployments, as Azure Disk Encryption is scheduled for retirement on September 15, 2028.

Thanks,
Manish.

0 comments No comments
Sign in to comment

Answer accepted by question author

Jose Benjamin Solis Nolasco 8,561 Reputation points Volunteer Moderator

Welcome to Microsoft Q&A

Hello Craig, I hope you are doing well,

The documentation is correct. Transitioning directly from Azure Disk Encryption (ADE) to Encryption at Host on the same VM/disks is an unsupported migration path.

Here are the exact consequences of running the PowerShell command you provided to force the EncryptionSettingsEnabled flag to $false:

Update-AzDisk command only modifies the Azure Resource Manager (ARM) metadata properties. It does not trigger the BitLocker (Windows) or DM-Crypt (Linux) decryption process inside the guest operating system. If you remove the Unified Data Encryption (UDE) flag while the bits on the disk are still ciphered, you create a split-brain scenario. Upon the next reboot, the Azure platform will read the flag, assume the disk is in plaintext, and refuse to pass the required Key Encryption Key (KEK) or BitLocker Encryption Key (BEK) from your Azure Key Vault to the host machine. The OS will fail to unlock the drive and the VM will be permanently unbootable.

Even if you properly decrypt the disk from within the guest OS first and then run your script, you still cannot enable Encryption at Host. The Azure Compute control plane maintains a historical state of the resource. The ARM API contains a strict validation check that permanently blocks the EncryptionAtHost property from being enabled on any VM or Managed Disk that has ever had the ADE extension installed or the ADE encryption settings enabled. This is a safety mechanism to prevent overlapping encryption corruption.

To achieve your goal, you must create a new VM with Encryption at Host enabled and migrate the data (e.g., via Azure Site Recovery, AzCopy, or backup/restore).

😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

  1. Craig 41 Reputation points Microsoft Employee

    Thanks for the answer, that's what I was looking for, sad but true.

    That's such an invasive transition (just create a new VM, new disks, and a new AD computer object), and the end result is just that you still accomplish encryption. Really wish the transition from ADE to encryption at host was more seamless.

Sign in to comment

0 additional answers

Sign in to answer

Your answer